Hello,
I am seeing an unexpected (for me at least) behaviour when setting my CSP headers in my _headers
file.
Since my CSP list is quite long I’d like to break it down to multiple line like so (this is a stripped down version, just an example):
/*
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self';
Content-Security-Policy: script-src 'self' 'unsafe-inline' https://www.googletagmanager.com;
This validates on redirects-playground like so:
[[headers]]
for = "/*"
[headers.values]
Content-Security-Policy = [
"default-src 'self';",
"script-src 'self' 'unsafe-inline' https://www.googletagmanager.com;"
]
X-XSS-Protection = "1; mode=block"
And I would expect to see the values of the CSP fold to a single value like so:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com;
Which is a valid CSP directive CSP Header Inspector and Validator
If I try to deploy that though, here’s the result I see in my headers:
default-src 'self';, script-src 'self' 'unsafe-inline' https://www.googletagmanager.com;
(x-nf-request-id: 5f73cde1-aac6-4bd8-b0a9-ee2edf06b76b-487459)
Notice the comma after the first semicolon. That makes the policy invalid:
Even removing my semicolons will still make it invalid, because the result would be:
default-src 'self', script-src 'self' 'unsafe-inline' https://www.googletagmanager.com
And the separator should be ;
.
This is not a blocker for me, I solved this by declaring everything on one line.
Still it would be nice to have a way to spread the directive on multiple lines to make both reading and diffs easier to scan.
Let me know if I’m doing anything wrong or if I can provide more details.
Many thanks!